In the Linux kernel, the following vulnerability has been resolved:

fbdev: defio: fix the pagelist corruption

Easily hit the below list corruption:

listadd corruption. prev->next should be next (ffffffffc0ceb090), but was ffffec604507edc8. (prev=ffffec604507edc8). WARNING: CPU: 65 PID: 3959 at lib/listdebug.c:26 listaddvalid+0x53/0x80 CPU: 65 PID: 3959 Comm: fbdev Tainted: G U RIP: 0010:listaddvalid+0x53/0x80 Call Trace: <TASK> fbdeferrediomkwrite+0xea/0x150 dopagemkwrite+0x57/0xc0 dowppage+0x278/0x2f0 _handlemmfault+0xdc2/0x1590 handlemmfault+0xdd/0x2c0 douseraddrfault+0x1d3/0x650 excpagefault+0x77/0x180 ? asmexcpagefault+0x8/0x30 asmexcpage_fault+0x1e/0x30

RIP: 0033:0x7fd98fc8fad1

Figure out the race happens when one process is adding &page->lru into the pagelist tail in fbdeferrediomkwrite(), another process is re-initializing the same &page->lru in fbdeferrediofault(), which is not protected by the lock.

This fix is to init all the page lists one time during initialization, it not only fixes the list corruption, but also avoids INITLISTHEAD() redundantly.

V2: change "int i" to "unsigned int i" (Geert Uytterhoeven)